Commenting on this, Ksenia Peguero , senior research lead at Synopsys, said “This story has a couple of interesting aspects. One is that developers and companies usually trust CDNs and data that is coming from a Content Delivery Network (CDN). But once a CDN gets infected by malware, the scripts it is serving will likely be used by more than one application. Therefore, compromising a CDN provides a wider attack surface. In this case, however, it looks like the attack was quite targeted as the feedbackembad-min-1.0.js file seems to only be used by the Feedify service.
We always talk about how we need to do composition analysis and understand what open source libraries we are bringing into our commercial products. But on top of that we should conduct composition analysis and security evaluation of the third-party libraries constantly, as they may be modified by attackers if the storage location such as a CDN or even an internal server is infected by malware or compromised in another way.”